Tuesday, 3 December 2013

Data Breach at Loyaltybuild: Update 22 November 2013

Following the data breach which occurred at Loyaltybuild in October resulting in the breach of personal data of some 1.5 million individuals (including 376,000 individuals whose full credit card data was compromised), the investigation of the ODPC has been continuing.

The ODPC received a full client company list from Loyaltybuild in respect of those client companies whose customer data was exposed during the data breach. The ODPC immediately instructed Loyaltybuild to notify these client companies of the breach of their customer’s data and received confirmation from Loyaltybuild that this has taken place.

The ODPC also made contact with the client companies of Loyaltybuild based in this jurisdiction and instructed them to inform their customers of the breach of their data in accordance with our data security breach code of practice. The focus of our investigation to date has been uncovering the extent and nature of the personal data involved in the breach and ensuring that affected individuals have been duly notified. It is our understanding that this notification process is nearing completion.

Given the transborder nature of this data breach, the ODPC has taken the important measure of notifying relevant European colleague data protection authorities providing them with relevant information for any follow up action they may need to take.

The ODPC investigation is continuing with the focus now on security practices and procedures employed by the company. Part of this phase of the investigation will also involve the carrying out of a follow up inspection. The company has ceased its processing of personal data until such time as it can satisfy this Office that adequate security measures are in place.

Tuesday, 12 November 2013

Criminal Involvement in Super Valu Customer Breaches

A criminal attack is behind the data breach affecting customers of SuperValu and Axa Insurance, the data protection commissioner said today

Billy Hawkes also said warned that the criminals involved have the information needed to use the credit cards of people affected by the data breach.

“We were told about the original issue last week, last Monday, but we were updated and told the situation was more serious because we now know the criminals involved have all the information needed to use the credit cards of the people concerned to make purchases,” he told RTE’s Morning Ireland.

As a result, the Consumers Association of Ireland (CAI) is advising affected customers to cancel their credit cards.

"We’re suggesting that customers certainly get in contact with their credit card providers immediately," said Dermott Jewell, Policy and Council Advisor at the CAI.

"In light of what the Data Commissioner has announced this morning - that criminals have full access to confidential bank details – we would advise those affected to contact their credit providers and get advice on how to proceed."

Mr Hawkes said today a team of investigators is to enter Loyaltybuild in Clare- the company operating the loyalty holiday scheme on behalf of the companies.

The company operates loyalty schemes for a number of European companies, he told RTE radio’s Morning Ireland.

“That is why we need to send in our inspection team,” Mr Hawkes said.

“We need to find out for ourselves if more action is needed to be taken.”

Earlier it emerged that the breach was worse than expected - over 60,000 SuperValu customers may have had their financial data stolen after the retailer announced a data breach is more extensive than first thought.

Axa Insurance said about 8,000 customers had been affected.

Last week, Super Valu warned customers of its loyalty holiday scheme that their banking information may have been accessed by a third party.

The programme has since been suspended and the data protection commissioner was informed of the leak - but at the time SuperValu said it was not aware of any breaches of financial information

But tonight a statement by SuperValu warns customers that Loyaltybuild had advised the Data Protection Commissioner that the security breach of its system “is more extensive than it first anticipated”.

“Based on this latest information from Loyalty Build, SuperValu are tonight contacting Getaway Breaks customers that there is a high risk that an unauthorised third party accessed the details of payment cards used to pay for Getaway Breaks between January 2011 and February 2012,” the statement read.

It said that 62,500 customers who made bookings during this period have been told to contact their bank or financial institution as soon as possible.

They have also been advised to immediately check the transactions on their payment cards for any suspicious activity.

Customers of the scheme have also been advised to treat any unsolicited communication they receive claiming to represent SuperValu Getaway Breaks or Loyalty Build with extreme caution.

Super Valu and Loyaltybuild are continuing to investigate the matter which is affecting customers of the holiday scheme only.
Irish Indepenent 12th November 2013

Thursday, 7 November 2013

Super Valu breach customers' data protection rights

Irish Times

Supervalu has been forced to contact thousands of customers who have bought its “getaway breaks” after a security breach at the company that oversees the scheme left sensitive financial data potentially compromised.

The “getaway breaks” vouchers are a key loyalty reward programme run by the US-owned company Loyaltybuild, which is based in Co Clare. It is reviewing the security of the personal and payment card information held on its booking system.

“This review is necessary as Loyaltybuild has advised its client base in Ireland that its system may have been compromised by a third party,” said Supervalu in a statement.

‘Precautionary measure’
He said that there was no information to suggest that any sensitive customer data had been obtained “as yet”, and said that “as a precautionary measure” it was urging customers who had booked a getaway break recently to review their accounts and report any unusual activity or unsolicited communication connected with the deal to their bank.

Supervalu apologised to its customers for any unnecessary concern that details of the breach may have caused and said the “Getaway Breaks” booking system will remain temporarily suspended until the Loyaltybuild system has been given the all clear.

The company managing the rewards programme has informed the Data Protection Commissioner of the potential breach, which was uncovered on October 25th, and it stressed that all payment card information it holds is encrypted.

“We immediately engaged the services of a firm of leading, international, online security experts,” a spokeswoman said. “They are conducting a forensic investigation to help us identify whether any of our stored data was compromised, and, if so, to what extent.”

She said that as of 5pm yesterday, the forensics team reported there had been no signs of personal or financial details data being extracted or compromised but added that the examination is ongoing.

She said that the company was “working around the clock with our security experts to get to the bottom of this and to further enhance our security”.

Wednesday, 16 October 2013

Company convicted of sending spam email to former swimmer Michelle Smith de Bruin

Two companies have been convicted of sending spam email or text messages, including one sent to barrister and former Olympic swimmer Michelle Smith de Bruin.

Lex Software Ltd, trading as Legal and General Software, pleaded guilty before the Dublin District Court to two charges of sending unsolicited email messages – one to Ms Smith de Bruin and another to Patrick Wilkinson.

In evidence, assistant data protection commissioner Tony Delaney told the court the defendant company had admitted sending the spam email after a formal warning had previously been issued by the Data Protection Commissioner following an earlier complaint by Ms Smith de Bruin.

He said it had also confirmed having sent a spam email to Mr Wilkinson without providing a means of allowing him opt out of receiving further marketing emails. The company pleaded guilty to both charges.

Operations director of Lex Software, John Gilmartin, submitted that Ms Smith de Bruin’s details had been removed from the company’s list at her request but when a new list of contacts had been created using the updated legal directory, her details had been included in error.

The company had engaged an external provider to ensure all future marketing emails would contain a means of opting out.

Judge William Hamill imposed convictions on both charges and fined the company €200 in respect of each one.

Separately, Judge Hamill convicted Hanford Commercial Ltd, trading as the Maldron Hotel, Wexford, on a charge of sending an unsolicited marketing message by text, where a complainant had previously opted out of receiving such messages. The company pleaded guilty to the charge. Judge Hamill imposed a fine of €200.

Mr Delaney told the court the complainant, Robert Gogan, had previously sought the assistance of the Data Protection Commissioner to ensure his details were removed from the company’s database and that a formal warning had been issued to it in February of last year.

Sean McKeon, of the hotel group, told the court steps had been taken to ensure compliance with the regulations on sending such material.

Tuesday, 10 September 2013

Garda Síochána Ombudsman Commission seeks unlimited access to criminal records

The Irish Times - 10th of April 2013 

The Garda Síochána Ombudsman Commission has urged Minister for Justice Alan Shatter to give it unfettered access to the Garda’s Pulse computer database, which includes intelligence on criminals.

The Data Protection Acts 1998 to 2003 confer rights on you to access certain information (on computer, in manual or paper files) about you which is held by the Gardaí. An example of this information would be any entry by the Gardaí on the Garda PULSE system (the Garda computer system), or in Garda investigation files.  

Can I access any data being held on me by the Gardaí? 

• A copy of the data being kept about you

• A copy of any data held about you which is an opinion (except where such opinions were given in confidence)

• Know the purpose for which the data is being kept

• Know the identity of anyone to whom the Gardaí disclose that data

• Know the source of the data (i.e. where the data came from) unless it is contrary to public interest.

• Supply the information to you within 40 days of receiving your request • Provide the information in a manner or form which will be clear to you.

• If the access application or request for data would identify someone else. This also applies in relation to the obligation on the Gardaí to provide details of the source of the information held. If the source or origin of the information identifies a third party, then it can be withheld.

• If the personal data being kept is for the purpose of preventing, detecting or investigating crime, or for arresting or prosecuting offenders.

• The child does not have the intellectual ability to understand the nature of the request • The parent or guardian is acting in the best interest of the child.

• If in the opinion of a member of the Gardaí (not below the rank of Chief Superintendent), the personal data is required for the purpose of safeguarding the security of the State

• If the personal data is required for the purpose of preventing, detecting or investigating crime or for arresting or prosecuting offenders

• Your full name

• Your correct date of birth

• Any other names used by you

• Your current address and previous addresses in Ireland

• A copy of your passport, driving licence or birth certificate

• A fee of €6.35.

You have a number of other rights under the Data Protection Acts, in addition to the right of access described above These additional rights include the right to have any inaccurate personal information about you corrected or erased and the right to complain to the Data Protection Commissioner. 

Why can the Gardaí refuse my request? 

Can somebody apply to the Gardaí for my personal data on my behalf? 

Can the Gardaí access personal data held on me by other people? 

How to apply.
What can I do if the Gardaí refuse my request?
The move is likely to be strongly resisted by Garda Headquarters as it would represent the first time in the history of the force that the Garda did not have full control, and the ability to disseminate as it sees fit, the intelligence at its disposal. The Commission has expressed concern that under current procedures it is reliant on assurances from the Garda that information passed to it represents the “totality of such information held” on whatever matter it may be investigating.

“The absence of any independent access to (the Pulse) systems raises issues around the effectiveness of the Ombudsman Commission’s oversight investigative function,” it said in a report to Mr Shatter.

The report contains a series of recommendations arising from the Commission’s  recently concluded major investigation into how gardaí handled drug dealer and informer Kieran Boylan. It had encountered “delays in access to documentation and intelligence” held by the Garda as a “constant feature” of the four-year investigation, citing those delays as the reason for the excessive time taken to complete the inquiry.

Aside from what it believes were serious delays in providing information to it, Gsoc has also expressed serious concern that measures around the registering of Garda informers and recording the extent and nature of contact with them are possibly not being followed. It outlined its concerns in a brief report published yesterday at the conclusion of its investigation into the Boylan affair. Mr Shatter later released a fuller version of that report sent to him by Gsoc last week in which it made a number of recommendations.Mr Shatter is reviewing the report and awaiting observation on it from Garda Commissioner Martin Callinan.

However, Mr Shatter last night released a two-page report from a retired High Court judge TC Smyth SC, who has examined the use of informers. In a report on it dated October 2012 the judge informed Mr Shatter there appeared to be “substantial compliance” with the rules set down for handling informants under it.

Section 4 of the Data Protection Act allows you to make a request to the Gardaí for a copy of any of your personal data being kept by them. On making an access request to the Gardaí, you are entitled to: Once the Gardaí receive a correct request from you, they must reply to you within 40 days. This is the case even if they do not hold any of your personal data or they are refusing the request.

If the Gardaí decide that the information is to be provided to you, they must: Under the Data Protection Acts, the Gardaí can refuse any request for personal data and can withhold that information on the following grounds: Yes. The Gardaí may receive an access request by a representative on your behalf. They will however will need to satisfy themselves as to the identity of that person and will have to be provided with enough information about you to assist in establishing identity and locating the data sought or requested.

The Gardaí will require written confirmation from you, authorising your representative to make the request. An example of this could be where your solicitor would be authorised by you to request the information. Where the request is in relation to a child, then a parent or guardian can exercise the right to apply for and receive the information on behalf of the child if:

Yes. In certain circumstances, the Gardaí are entitled to access your personal data. In such circumstances the person holding such personal data on you will not be in breach of the rules against disclosing personal data to third parties. The following are the occasions where the Gardaí are allowed to access such personal data:

How do I apply to the Gardaí for my personal data?

Requests for personal data must be made in writing to the Garda Criminal Records Office. While it is not a requirement to mention the Data Information Acts, it is recommended that you do. You can download the Gardaí's access request form (pdf).

You must provide enough information to establish your identity and to allow the Vetting Unit to locate the information you request. It is important (from the Gardaí’s point of view) that they establish your identity to ensure the information is given to the right person.

In order to obtain your own personal data, you are required to provide the following: 

If you are of the opinion that the Gardaí are in breach of the law by not giving you the personal data you requested, you can make a complaint to the Data Protection Commissioner. The Commissioner will investigate your complaint unless they are of the opinion that the complaint is frivolous or vexatious. (That is, your complaint is without any foundation). As soon as the Data Protection Commissioner has investigated your complaint, you will be notified in writing of the decision.

 If the Data Protection Commissioner is of the opinion that the Gardaí are in breach of the Act, the Commissioner may serve what is called an enforcement notice on the Garda Commissioner and make the Gardaí hand over to you the information you requested.

Friday, 6 September 2013

Police data abuses difficult to safeguard despite new systems

Irish Times, 5th September 2013

This July Accenture signed a 10-year agreement with Police Scotland to develop and maintain a new “operational policing system”.

A modern update of the Pulse platform which the company built for the Garda more than a decade ago, i6 as it has been christened, will streamline “in the region of 120 different systems into one” in Scotland.

However, Accenture’s global managing director for defence and public safety, Ger Daly, admits there’s no guarantee the privacy and abuse concerns which have plagued the Irish policing platform since its launch in 1999 won’t be replicated within i6.

“I don’t know if you can ever prevent anybody from [carrying out] malicious work,” concedes Daly, “but at least if you can see it happening you can detect it.”

Here Daly is referring to reports earlier this year of Garda members apparently using the Pulse service to look up details of individuals who had carried out no criminal offences or, indeed, to expunge penalty points from motorists’ licences.

Personal data

All of which led to Minister for Justice Alan Shatter asking the Garda to ensure the database was not to “be used as some sort of social network to be accessed out of curiosity by members of the force”.

Joe McNamee, EU advocacy co-ordinator with the European Digital Rights group, told The Irish Times that “the protection of personal data is in a state of permanent chaos in Ireland”, but that in a “well regulated” environment IT platforms of the type which Accenture built for police forces can be effective.

For his part, Daly says that with regard to the Pulse transgressions, every change made or file accessed within the system is “fully logged and audited”, and that “typically as an officer you need to put in a reason as to why you’re inquiring [about] something”.

Police Scotland’s deputy chief constable Neil Richardson certainly has faith in the new system, saying at the time of the project’s launch it would “increase the ability of our officers to fight crime and be more visible in our communities”. Daly says i6 will “manage policing from detecting incidents, creating warrants, charging someone, recording bail” and more, resulting in radical efficiency benefits.

“Think about the poor officer coming in off the street, recording an incident and then having to look up even close to a tenth of those 120 different [IT- and paper-based] information sources in order to check for something.”

The new system will, he adds, create a “golden record” for those in the system and a “single, integrated information source” for officers.

Thursday, 1 August 2013

The Right to Privacy in Ireland: Irish state bodies make 10,000 request for personal information every year

Irish Times - Thu, Jul 25, 2013

State agencies target Irish phone and internet records

Up to 10,000 requests for information made annually in Ireland - compared with just 326 for Austria

Irish authorities made 27 times as many requests for people’s stored phone and internet use data compared to law enforcement agencies in comparably sized Austria, according to submissions to the European Court of Justice (ECJ) in Luxembourg.

The information was supplied in a day-long hearing on July 9th by parties to an ECJ case which is considering the legality of the European Data Retention Directive (2006/24/ EC), which allows member states to store data on daily call and internet activity for the EU’s 500 million residents.

The case originates in a challenge to the constitutionality of Ireland’s data-retention laws, taken by privacy advocates Digital Rights Ireland. The case was referred by the Irish High Court to the ECJ.

Ireland, which stores Irish residents’ landline and mobile call access data, as well as some data related to internet usage, for two years, told a panel of ECJ judges that “6,000 to 10,000” requests were made annually under Irish law.

The directive limits the use of such data to combating serious crime and terrorism.

Retention statistics
Counsel representing Austria said authorities there had made 326 requests for data in a recent one-year period.

The UK refused to disclose figures at the hearing.

It is not clear to what the figure of “6,000 to 10,000” requests presented by Irish counsel to the ECJ refers.

According to statistics released in a 2012 European Commission report by member states on data requests made in 2010, and cited at the hearing as evidence in support of the directive’s implementation, Irish authorities – comprising the Garda, Revenue Commissioners or Defence Forces – made 14,928 data orders.

The Department of Justice released 2011 figures last week, confirming 12,675 data requests.

Asked this week by The Irish Times to clarify whether the figures presented were an average or if they referred to as yet unreleased 2012 data request figures, a spokesman for the Department of Justice said: “The communications data retention statistics for Ireland for 2012 are in the order of 9,000 requests.”

The spokesman declined to offer further detail on the nature of the requests, stating: “It is not the practice nor would it be in the public interest to go into further detail of the provision of the data to the relevant authorities.”

Asked whether Ireland had a much higher rate of serious crime than Austria, the department responded: “The operation of data retention regimes in other EU member states is a matter for the authorities of those states.”

The European Court of Justice is focused on whether the European Union’s Data Retention Directive, which allows states to choose a retention period of six months to two years, represents a proportional approach to ensuring that some call and internet data are available for law enforcement and security needs.

Data requests

Unusual for the ECJ, the hearing concentrated on human rights aspects of data retention, in particular how the directive fits with articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

According to the European Commission’s 2010 study, for those countries that supplied (often incomplete) information, the vast majority of data requests were made within the first three months of the data being created, and most of the remainder in the first six months.

Personal data of creche staff posted online

Irish Times - 30th July 2013

Personal data of creche staff posted online ‘outrageous’

The body representing childcare providers has said it is “outrageous” for personal information on staff to be posted online as part of the publication of HSE inspection reports.

Staff References

The HSE said it was unable to respond yesterday evening to a query about the posting of the staff references. The Data Protection Commissioner was unable to say if the postings were a data breach. The report on Clifden Community Playgroup had been taken off the pobal.ie website last night.

Character references for three staff at Clifden Community Playgroup in Co Galway were included in a report posted online. The references were sent into the HSE by the playgroup following an inspection in May 2012 when it was told references for all staff had to be made available.

The inspection report was posted online in recent days by the HSE and it included, as it often does, the reply of the childcare provider indicating changes made after concerns were raised. But in the case of the Clifden Community Playgroup it also included the character references of three staff which the playgroup sent in.

“It is outrageous that references would be put up online. It is simply not fair if they are putting up personal information,” said Irene Gunning, chief executive of Early Childhood Ireland, which represents the majority of creches and childcare providers.

The HSE began posting the creche reports online earlier this month in a move to make the childcare system more transparent for parents. It follows an RTÉ documentary in June which highlighted mistreatment of children at three creches.

So far, reports for childcare providers in four counties have been posted online – Limerick, Mayo, Clare and Galway. Many reports show creches and childcare providers do not have adequate records for staff in relation to Garda vetting and references. Early Childhood Ireland has said delays of 12 weeks for getting Garda vetting makes it difficult for childcare providers to be compliant on this.

Galway reports, which were posted up late last week and yesterday, highlight infrastructure deficiencies in some creches, including broken toilet seats, peeling paint and mould.

Wednesday, 12 June 2013

Forget Prism and the National Security Agency. The real threat to your privacy is you.

The Irish Times - Wednsday 12th June 2013
It took the rest of us the entire history of the human race to decide our social norms – and Mark Zuckerberg just a few hours to toss them aside

By reading this article online, you agree to certain terms of service. They include adhering to community standards, permitting the use of cookies, and consenting to surrender your soul in perpetuity to The Irish Times and all its third-party partners.

You’re still here – in which case, like the other 98.4 per cent of us, you’ll have skipped everything after the words “terms of service”. (If you’re one of the 1.4 per cent who, according to a survey by UC Berkeley, actually reads the terms of service, we were lying about the perpetuity bit. You can have your soul back in 2027.)

For all that we harp on publicly about privacy infringements and data mining, the vast majority of us neither know nor care which new frontier in the privacy wars is being breached when we visit a website or download an app, so long as it amuses us for more than three minutes.

So yes, recent revelations that the American National Security Agency (NSA) is mining the internet and phone data of millions of the world’s citizens are a bit of a worry – but not nearly as alarming as the information we willingly surrender about ourselves several times a day.

The reports, in case you missed them, revealed that the NSA has for the past seven years been logging every phone call, email, search history, live chat, video call, upload and download in the US.

President Barack Obama described this as a “modest encroachment on privacy” – and I agree with him. What the NSA is doing may not be reasonable or justified, but compared to some of the stuff most of us willingly and unthinkingly give up in the name of commerce, it’s still pretty small fry.

I use the word “us” advisedly – anyone who thinks this is just an American story probably hasn’t grasped the “global” part of “global intelligence gathering”. If you’ve ever made or received a call to or from someone in the US, or used an American-based server to access the internet, then yes, somewhere in the Utah desert, there’s a data server with your name in it.

But take my advice, and forget about it. Because the real threat to your privacy is you.

When Facebook made controversial changes to its privacy policy in 2009, turning data that had been private into public information overnight, chief executive Mark Zuckerberg gave us a frank insight into how things were going to be from there on in. “We decided that these would be the social norms now,” he said. That’s right: it took the rest of us the entire history of the human race to figure out what norms we would like to impose on our society, and Zuckerberg just a few hours to toss them aside.

That’s the point at which we should have started manning the barricades, or at least deleting our Facebook accounts. But we didn’t. We worried about the idea of a 25-year-old former frat boy with a penchant for fleece setting our social norms for roughly a week, and then we forgot about it.

Since then, Facebook, Google, Apple and the other giants of the online world have been busily redrafting our social norms at regular intervals. In the summer of 2010, an academic article by UC Berkeley about a then-new concept called “geotagging” – software which allows your phone to use its GPS to record your exact location when you publish something online – prompted a rash of news articles highlighting the dangers of oversharing.

Friday, 24 May 2013

Data Protection Commissioner publishes 2012 Annual Report

It has been an eventful week for the issue of data protection and privacy law. On Tuesday the 21st of May last the Data Protection Commissioner published his 2012 Annual Report. During his press release Mr Hawkes outlined a number of concerning data protection issues. He stated that a 'worrying degree' of inappropriate access to personal data by State employees was detected in audit carried out by them. He expressed that these breaches and intrusion on privacy rights display a serious lack of awareness within the HSE as to what actually constituted appropriate access. Mr Hawkes also emphasised the need for additional resources for his office to cope with the increased growth in complaints received by the Office.

The on-going saga involving Justice Minister Alan Shatter and T.D. Mick Wallace also raises issues within data protection and privacy law. Mr Shatter revealed during a debate on RTÉ last week that Mr Wallace had been seen by gardaí using a mobile phone while driving. He said he learned of the incident during a briefing with members of the garda about penalty points. The Data Protection Commissioner has said he would be willing to investigate the matter fully if he received a formal complaint from Mr Wallace about improper use of private information. The decision of Mr Shatter to reveal such confidential information on national television undermines an Garada Síochana as a public body whose duties include safeguarding records and confidential information of citizens. It is likely that the data protection breach here will be investigated further.

On the 24th of May last the Irish Times reported that Minister for Social Protection Joan Burton intends to make births, deaths and marriages accessible online for the first time. The relevant legislation permitting the creation of the online register is the Social Welfare and Pensions Bill 2013. The development is aimed combatting fraudulent social welfare claims. Birth, Death and Marriage Certificates can be taken up at the public office on application together with the prescribed fee. The creation of a database of such information will no doubt have implications for data protection and privacy law.

Friday, 19 April 2013

Increase in Funding for the Office of the Data Protection Commissioner

The Minister for Justice, Alan Shatter, has underlined the Government’s ongoing strong support for the Office of the Data Protection Commissioner.

The Minister and the Government are acutely aware of the critical importance of the role of the Office of the Data Protection Commission in the development of the digital economy.

The Minister has already, in the context of the Budget allocations for 2013, made available significant additional supports and resources to the Office of the Data Protection Commissioner, which include:

• A 20% increase in the budget for the Office in 2013 (compared with 2012). This significant increase is noteworthy given that budgets for many public sector organisations have been reduced significantly, having regard to the current economic circumstances;

• Additional staffing resources which have been put in place including:

• Specialist staff including a Chief Technology Advisor and a legal advisor

• Additional administrative staff.

The Minister has also committed to providing whatever additional resources are necessary to enable the Data Protection Commissioner to continue to discharge the vital functions of his Office.

In the context of Ireland’s Presidency of the European Union, as part of its focus on the Digital Agenda, the Irish Presidency will work to reach agreement in the Council on key aspects of the data protection package. This is aimed at ensuring that citizens will have more control over their personal data.

Part of the data protection package includes proposals for a "one stop shop" data protection regime, i.e. where a multinational company is currently subject to the jurisdiction of multiple data protection authorities (DPAs), the proposed Regulation would provide for a multinational to be subject to a "one stop shop" single DPA working in close collaboration with other DPAs where services are being provided in different EU Member States. This is likely to have considerable implications for the Office of the Data Protection Commissioner in Ireland, including significant resourcing demands.

Friday, 8 March 2013

Large tech firms to welcome softer EU line on personal privacy

Irish Times - 7th March, 2013.

Brussels will be forced to water down tough data protection rules in a move that will come as a relief to tech groups after many of the EU’s member states called for a softer approach to the privacy push.

The climbdown will be welcomed by companies that collect large amounts of personal data, such as Google and Facebook, which have lobbied furiously against the proposed regulation, as well as the US government.

Washington has repeatedly voiced its concern that the rules, which include the power to fine companies up to 2 per cent of global turnover for breaching onerous data protection standards, were targeted specifically at US technology groups.

Resolving the transatlantic dispute over data protection rules could ease the way towards a new EU-US trade agreement over the next two years, which boasts huge commercial potential but is also rife with complications. 

The plan will be softened after at least nine countries – including the UK, Germany, Sweden and Belgium – said they were opposed to several proposed measures. 

Copyright The Financial Times Limited 2013

Thursday, 21 February 2013

European Parliament to vote on united Data Protection Legislation

Members of the European Parliament will vote this week on a European Commission proposal on Data Protection.

Private companies such as Google and Facebook are under constant scruting in respect of their privay policies and the EU are under pressure to be seen to be taking some action. The newest propsal advocates the establishment of a single set of rules on data protection and online privacy. Currently each member state applies its own laws and sanctions. The main focus of the proposal is to target large companies so it will be important that the new regulations do not impose overly onerous administrative burdens on small and medium sized companies.

Under the new propsals, each national data protection authority will be responsible for implementing the new EU law. At the moment the administrative costs of complying 27 different regulations from the member states stands at £2.3 billion a year.

A united set of regulations for all Member States is common sensical from a cost-effective perpective but it is important that the new regulations take account of the differing circumstances and resources of companies.

Thursday, 7 February 2013

Church defection website seeks record

Irishtimes.com - : Tuesday, January 29, 2013.

JASON KENNEDY - The founder of a website formerly used to allow people leave the Catholic Church is asking people who still wish to defect to retrieve their records from their parish.

Paul Dunbar, who runs countmeout.ie, is asking people to request a copy of their records from the parish they were born in. Mr Dunbar hopes that data protection legislation can be used to force the church to amend their records to reflect the member’s desire to leave the organisation.

Catholics may no longer formally defect from the Church after a change in canon law that took place in 2010. Before that, countmeout.ie said more than 12,000 copies of its online form to defect had been downloaded.

A spokeswoman for the Archdiocese of Dublin would not comment on Mr Dunbar’s campaign, but reiterated the statement issued in 2010, saying it was a change that did not just affect the Church in Ireland, but also the world. “The Archdiocese of Dublin plans to maintain a register to note the expressed desire of those who wish to defect. Details will be communicated to those involved in the process when they are finalised,” she said.

Despite this, Mr Dunbar says people are still unable to leave the church of their own accord, even through excommunication. “During April 2011, we assisted 16 people in their effort to have an Act of Apostasy recognised as a formal declaration of their wish to leave the church,” he said.
However, the Archdiocese of Dublin has decided it cannot accept these declarations, meaning those who wish to leave the church “continue to be denied this option”, he said.

“We have sent letters to Archbishop Martin and the Vatican over the last few months and we never got reply. If people don’t wish to be a part of the institution, it has no right to bind them there. It’s frustrating.”

Friday, 18 January 2013

FBD appeals against Data Breach Award

The Irish Times - Saturday, January 12, 2013

An Insurance company has appealed to the High Court against an award of €15,000 damages to a man over breach of his data protection rights.

FBD Insurance claims painter and decorator Michael Collins suffered no loss from the admitted breach after he made a claim when his work van was stolen outside his home at Mellowes Park, Finglas, Dublin, in September 2008.

Mr Collins said he lost work due to not having the van until it was recovered three months later, when he withdrew his claim. During that period FBD, on the basis of confidential information on him which it failed to disclose to him in accordance with data protection law, declined to deal with his claim, he said.